Lumension is taking a proactive approach toward an era of open, standards-based systems. At its core, the Lumension platform is opening to content that has been created by the global content community. Embracing these varied sources helps Lumension deliver additional value through its products such as Security Configuration Management (SCM).
For Lumension customers, this new content architecture opens the door to a diverse range of security and application patches, configuration states, policy mappings, application hash libraries, software distributions, and IT best practice configurations that are constantly being made available by multiple vendors and standards bodies. This new content architecture helps lays the foundation on which we will be able to deliver more value over the next few years. We will be able to deliver a broader selection of content more quickly, and build more value into our offering in the future.
Customers will need to update both servers and agents in order to enable content delivery via the new content architecture. Additionally, changes will need to be made to firewalls so that Update Servers can access vendor-specific remediation binaries and scan files. The following steps are required to take advantage of the new content architecture:
Bring Update Server software up to minimum required levels.
New Content Architecture support for Windows platforms requires Lumension Patch and Remediation Server version 6.4 SP1 or higher. New Content Architecture support for Linux platforms requires Lumension Patch and Remediation Server version 6.4 SP2 or higher. Customers using earlier versions will need to upgrade to take advantage of the New Content Architecture.
Bring Update Agent software up to minimum required levels.
The new content architecture requires the patch agent to be at least version 6.4 SP1 or higher. Both Lumension and third-party software may need to be deployed to the update agents depending on the configuration of participating workstations. For example, Windows Update software must be version 3.0 or greater. A software installation package will be made available from the Update Web Management Console for quick deployment to registered Update Agents that provides the necessary Lumension and Windows Update software packages that are needed to support content delivery via the new content architecture.
Modify firewall settings on behalf of Update Servers.
Administrators of Update Servers need to notify their firewall personnel that new URLs will need to be allowed to pass through the firewall. These URLs are required in order for the Update Server to function as expected with the new content architecture.
For 7.1 LEMSS, Installation Manager downloads modules XML configuration from the following URL:
For Microsoft Windows content, this includes the following URLs:
For Adobe application content, this includes the following URLs:
For Mozilla Firefox, this includes the following URL:
For Ultra VNC, this includes the following URL:
For 7-Zip, this includes the following URL:
For VideoLAN VLC, this includes the following URL:
For Oracle Enterprise Linux, this includes the following URL:
For HP-UX, this includes the following URLs:
For CentOS, this includes the following URLs:
For Red Hat Enterprise Linux, this includes the following URL:
For Oracle Solaris, this includes the following URL:
For additional information on firewall configurations for Microsoft Windows content, review the article on Microsoft’s TechNet Library: http://technet.microsoft.com/en-us/library/cc708605.aspx
In the future, additional URLs may be required, depending on the content sources that you are interested in receiving. An important consideration to remember is that these URLs should be specified as is and the use of IP address equivalents is discouraged since IP addresses frequently change in DNS round-robin scenarios, etc.
Review the set of supported locales on your Update Servers.
The default locale selection will be changed to U.S. English only for new installations and will retain previously configured locale selections for those customers who are upgrading. Packages that correspond to locales that are licensed and selected within the Update Server subscription configuration are cached at Update Servers; therefore a review of this setting is an important step toward preserving the overall efficiency of Update.
Review new content architecture settings on your Update Servers 6.4 SP1 and SP2.
To verify that a server is enabled to receive content via the new content architecture, navigate to the Content tab on the Subscription Service Configuration dialog box, accessible via the Options > Subscription Services > Configure > Content page.
How does the new content architecture affect Update?
The current content delivery process requires the Lumension Content Development Team to retrieve detection metadata and remediation binaries from vendor Web sites and host them on Lumension’s Global Subscription Servers (GSS).
With the new content architecture, GSS will continue to be used to read metadata placed there by the Lumension Content Development Team. However, as a result of the new content importing process, vendor Web sites will now be leveraged to download the remediation binaries.
What content is being provided?
Content using the new content architecture will be provided for the following operating systems:
CentOS 5 (x86 and x86_64)
CentOS 4 (x86 and x86_64)
Microsoft Windows Server 2008 (32 and 64 bit)
Microsoft Windows 7 (32 and 64 bit)
Microsoft Windows Server 2008 R2 (64 bit)
Novell SUSE Linux 9 (x86 and x86_64)
Novell SUSE Linux 10 (x86 and x86_64, Desktop and Server)
Novell SUSE Linux 11 (x86 and x86_64, Desktop and Server)
Oracle Enterprise Linux 5 (x86 and x86_64)
Oracle Enterprise Linux 4 (x86 and x86_64)
Red Hat Enterprise Linux 5 (x86 and x86_64, Client and Server core)
Red Hat Enterprise Linux 4 (x86 and x86_64, AS, ES, WS)
Red Hat Enterprise Linux 3 (x86 and x86_64, AS, ES, WS)
Content using the new content architecture will be provided for the following applications:
Adobe Acrobat Professional
Adobe Acrobat Standard
Adobe Flash Player
What will customers see in Update Server 6.4 SP1 and SP2?
The initial phase of Lumension’s new content architecture consists largely of process and infrastructure changes. One change visible in the Update interface is the Subscription Service Configuration dialog box has a new Content tab.
Delivery of content via the new content architecture is not enabled by default. Administrators may verify that the steps they have taken to receive content via the new content architecture are successful by viewing this dialog: Users may locate the Subscription Service Configuration dialog box by selecting Options from the top menu on the Update Server home page. Select the Subscription Services tab. Proceed to the bottom menu and select Configure. Then select the Content tab. Administrators may reference this page in order to verify the web locations (URLs) where content is being retrieved. Since a firewall may be preventing access to some URLs, this dialog may be utilized as a diagnostic device to determine which URLs are connecting successfully and which are not able to connect. An option is provided to export this URL access data for reporting purposes.
Why am I seeing Update Server Notifications for older content, including possibly content I had previously downloaded?
When support for a platform is released using the New Content Architecture, customers can expect to see a large influx of new content for that supported system. This may include a release of content previously downloaded, but which is downloaded again in a format that uses the new architecture.
How will I know if my Update Servers support the new content architecture in Update 6.4 SP1 and SP2?
Navigate to the Subscription Service Configuration dialog and ensure that the Enable radio button is selected. Also, you may refer to the retrieval results window in that same dialog to view a history of the URLs that were attempted, along with a current status.
How will I know if my Update Agents support the new content architecture?
Agents will show in the Update Management Console as being vulnerable for the package that adds a Native Scan API. Once this package is deployed, then that workstation is eligible to receive content via the new content architecture.
Must I really open up my firewall in order to support the new content architecture?
Yes, but remember that by doing so you are also opening the way for much better remediation, policy enforcement, and standards compliance. Also, remember that Update Servers still cache all remediation binaries; agents do not retrieve patch binaries from vendors, so you only need to open your firewall to Update Servers, and only for the URLs that are needed for the new content sources you will use.
How will I know if my firewall is configured correctly to access the new URLs?
If you are not configured correctly, you will see a failure status associated with specific URLs that are displayed in the Content tab of your Subscription Services Configuration dialog.
Will updating my Agents modify my Windows Update configuration?
No. Support for Windows content via the New Content Architecture leverages Microsoft’s Windows Update API and run-time to do native scanning, but does so independently of Microsoft’s use of Windows Update. Updating the Lumension Patch and Remediation Agent will not modify the Windows Update configuration, but administrators will need to set the Automatic Updates service to manual in order to leverage the New Content Architecture. See KB 682 for more information.
Does this mean that Lumension no longer tests content?
No. Lumension will continue to test content utilizing vendor vulnerability metadata and vendor-specific scanning methods during the content importing process undertaken by the Lumension Content Development Team. The new content architecture simply improves delivery time frames and in fact increases security and accuracy of the content delivery process.
Does this mean that Lumension no longer has a detection tool?
This is not the case; the detection tool remains. Lumension is simply augmenting their detection process. Lumension will leverage other vendor’s detection processes, but if need be, Lumension can augment, modify, or replace detection processes with its own processes at any time.
Isn’t accessing vendor sites insecure as compared with downloading files from Lumension?
Validation of binary file hash values by third parties is now possible with Lumension’s new content architecture. Comparison of these hash values helps assure that content has not been modified after being posted by vendors.
Remediation metadata is still confirmed and tested by Lumension by the Content Team during their content importing process. With the addition of metadata attributes (e.g. more than simply a file location and date stamp), the new content delivery process is actually more secure and accurate than was possible before.
How will non-Windows machines be affected by the new content architecture?
New platforms such as SUSE Linux, CentOS, and Oracle Enterprise Linux are supported using new content architecture. Customers will no longer need the use of the Content Update Tool in order to patch Sun Solaris and RHEL systems.